IPSec on routers behind a nat device

Similar Messages

• IPsec VPN behind a NAT devices

  Thanks but just resolved the problem. Thus i deleted my posting.

  Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:
  crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
  crypto isakmp profile L2L
  description LAN-to-LAN for spoke router(s) connection
  keyring spokes
  match identity address 0.0.0.0
  here is the cisco url link where u can find further information about it:
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
  I m gonna test those 2 options
  I still don t know how to push acl with easy vpn client and remote mode.
  thank you for your advices
  regards,
  alex
  regards,
  alex

• Cisco ASA 5505 IPSEC, one endpoint behind NAT device

  We have two Cisco ASA 5505 devices.
  Both are identical, however, one of them is behind a NAT device.
  We are attempting to create an IPSEC network.
  Site fg:
  <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
  ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
  Site be:
  <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
  ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
  USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
  USG1: UDP port 500/4500 forwarded to 192.168.4.50
  It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
  We verified / attempted the following:
  - NAT excemption on both sides for IPSEC subnets
  - Mirror image crypto maps
  - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
  - Toggled between static to dynamic crypto maps on ASA1
  Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
  Does anyone have any idea?
  195.txt contains show running-config of ASA3
  212.txt contains show running-config of ASA1
  log.txt contains somewhat entire log snipper of ASA1

  Hi,
  on 212 is see
  tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 195.xxx.xxx.xxx ipsec-attributes
  pre-shared-key
  When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
  If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
  Regards,
  Abaji.

• DirectAccess 2012 behind two NATs

  Hi Guys
  I am trying to setup a DirectAccess 2012 server with single NIC on a VM as below
  basically if I get a public IP NAT'd with port 443 via main firewall to a private IP (10.20.1.1 /16) and then if I get this private IP again NAT'd via another firewall with port 443 to the DirectAccess server IP (192.168.2.2/18), will this setup work as
  I will have to do this due to the current network topology at our business ?
  thank you in advance.

  Hi,
  It is supported.  In Windows Server 2012, direct access server can be deployed behind a NAT device with support for only one single network interface and removes the public IPv4 address prerequisite.
  For detailed information, please refer to the link below,
  Windows Server 2012 Direct Access – Part 1 What’s New
  http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
  Best Regards.
  Steven Lee
  TechNet Community Support

• DMVPN Hub and Spoke behind NAT device

  Hi All,
  I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
  But My case i involve in both situation.
  1) HUB have a Load Balancer (2 WAN Link) ISP A & B
  2) Spoke have Load Balancer (2 WAN Link) ISP A & B
  Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
  So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
  As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
  HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
  The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
  Any problem will face with this setup? Any guide?
  Sample config at HUB.
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 2
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile cisco
  Spoke Config
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.16.1.1 199.1.1.1
  ip nhrp network-id 1
  ip nhrp holdtime 300
  ip nhrp nhs 172.16.1.1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 199.1.1.1
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.17.1.1 200.1.1.1
  ip nhrp network-id 2
  ip nhrp holdtime 300
  ip nhrp nhs 172.17.1.1
  delay 1500
  tunnel source FastEthernet0/0
  tunnel destination 200.1.1.1
  tunnel key 1
  tunnel protection ipsec profile cisco

  Hi Marcin,
  thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
  About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
  .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
  Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

• VPN between 2 cisco 1841 behind NAT Device

  Hello,
  i have to configure 2 Routers 1841 for an IPSEC VPN. My Problem is, that on the Path between the Router is a NAT Device.
  On the HUB Router i can see the NAT IP Address but the Router expects the Source IP from the Spoke.
  Can anybody tell me what is the Problem?
  Thanks in advance
  Lorenz

  Can you create a static NAT on your NAT device for your spoke VPN router and then use the NATed address on your peer IPSEC/ISAKMP statements on your HUB router.
  Rgds
  Paddy

• IPsec on hosts behind load balancing NAT

  Hi,
  I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
  I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
  So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
  On the side where the traffic comes from i allways see a debug output like this:
  ar  1 05:23:54.294: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
      local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
      remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
      protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
  195.10.0.1 is my global address for the FTP server
  on the side where the encryption should be terminated i allways see an output like this:
  *Mar  1 05:23:54.130: map_db_find_best did not find matching map
  *Mar  1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
  But i can see that there is a crypto map for address 10.0.10.1
  RA#sh cryp map
  Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
  I tried to use some of the NAT traversal techniques for IPSec but without any success.
  If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
  Thanks, Adrian

  This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
  I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
  I have configured 2 loopback. on R1: 100.1.1.1
  on R2: 200.1.1.1
  R1:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.1.1
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.0.2
  R2:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.1.2
  Now when i ping from R1:
  ping 200.1.1.1 source 100.1.1.1
  its not successful. Why doesnt it work any idea ?

• RV180 - DDNS behind 2nd NAT router

  Hello community,
  is it possible to use the DDNS feature (dyndns.com) behind a 2nd NAT router?
  Network is as follows:
  INTERNET - NAT-Router (unknown device) - Cisco RV-180 (NAT) - Clients
  Kind Regard,
  Michael

  If you put your dyndns client in front of the rv180 or one the nat router's dmz, you should get the correct IP address.  I usually use the DMZ port on a nat router when putting a vpn router behind a nat one--this solves a lot of the IP address issues for the vpn router.
  Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

• Run 3d games remotely (even behind a nat) with sound (Onlive DiY)

  D you know Onlive? Here is a DIY howto, this is what i'm using to play games remotely on a poor netbook
  Required packages:
  Server: virtualgl,ffmpeg,socat,sshd
  Client: virtualgl,mplayer,ssh,socat
  Server: in /etc/ssh/sshd_config:
  "AcceptEnv ALSA_CARD"
  The user who wants to play remotely has to execute the following script on (say) the poor netbook:
  (configure $user,$server and $sshport first), and as soon as it gains access to the remote shell, it has to execute:
  vglrun (parameters) /path/to/3dgame
  Main Script
  #!/bin/bash
  user=remote_username
  server=remote_server
  sshport=22
  ServerSetup="\
  killall socat ffmpeg ; sleep 1 ; killall -9 socat ffmpeg; \
  echo inserting loopback module, ask for sudo pass:; \
  sudo modprobe snd-aloop; \
  socat UDP4-LISTEN:6000,fork,reuseaddr TCP:127.0.0.1:5000 &>/dev/null & \
  ffmpeg -f alsa -ac 2 -i hw:Loopback,1,0 -acodec libmp3lame -b 128k -f rtp rtp://127.0.0.1:6000 &>/dev/null\
  echo "Executing ServerSetup on " $Server:$sshport ...
  ssh -f $user@$server -oPort=$sshport "$(echo $ServerSetup)"
  killall mplayer socat ; sleep 1 ; killall -9 mplayer socat
  echo "o=- 0 0 IN IP4 127.0.0.1" >/tmp/stream.sdp
  echo "c=IN IP4 127.0.0.1" >>/tmp/stream.sdp
  echo "m=audio 6000 RTP/AVP 14" >>/tmp/stream.sdp
  socat TCP4-LISTEN:5000,fork,reuseaddr UDP4:localhost:6000 &>/dev/null &
  sh -c "sleep 20 ; mplayer /tmp/stream.sdp -really-quiet </dev/null" &
  ALSA_CARD=Loopback vglconnect -s $user@$server -o SendEnv=ALSA_CARD -p $sshport -R localhost:5000:localhost:5000
  Explaination
  Graphic streaming is very easy and totally managed by virtualgl as video data is taken from the server by using a seamless VirtualGL window,
  vglconnect (part of virtualgl package) is an ssh wrapper that set-up port forwarding to tunnel frames,
  no problem here for nat environments.
  When comes to audio, the 3d application on the server will output all audio data to a virtual loopback device,
  this is done by modprobing snd-aloop and then set the environment variable ALSA_CARD to "Loopback"
  Sound is then encoded by ffmpeg into an mp3 streamed via rtp udp transport for lower delay.
  Finally, that audio will be played back on the netbook via a background mplayer.
  It will take as argument a text file (compiled by a bunch of echo runtime) describing the stream.
  (ffplay would do it as well, but how to disable the spectrum visualization?)
  Making audio work for client behind a nat is somehow tricky, because ssh only forwards TCP connections and our stream works over UDP,
  but with socat we will 'convert' UDP to TCP (ssh here!) to UDP again so that we can use ssh tunnelling facilities while in the TCP domain:
  server: ffmpeg will stream to localhost, udp port 6000
  server: socat will forward from localhost, udp port 6000 to localhost tcp port 5000
  server: vglconnect (ssh wrapper) will forward all tcp traffic directed to localhost:5000(tcp) to the remote endpoint (client), port 5000(tcp)
  client: socat will forward from localhost, tcp port 5000 to localhost udp port 6000
  client: finally mplayer will play from localhost port 6000
  Note that mplayer will run on the client, but the last step we'll do in the script is to open an ssh connection into the server,
  and that connection is necessary for mplayer to work as we'll setup port redirection there.
  So, to keep things easy from the user point of view, mplayer is started early in background with a delay (20secs)
  (read: your audio will start after a while)
  If you are not behind a nat or prefer to use a vpn, you can (but it is not necessary at all)
  * comment all of the socat commands,
  * point ffmpeg streaming to the client ip,
  * change the line that contains "c=IN IP4 127.0.0.1" to the client ip too.
  Drawbacks of the script:
  .It will kill any socat,ffmpeg and mplayer instances at startup (any idea?)
  .No process has to listen on port 5000 and 6000 (tcp,udp), change the script or use some vars if you need it.
  .Some programs (eg: braid) don't like alsa loopback device and outputs some garbage sound
  .ALSA_CARD trick isn't going to work if you forced a !default output device in your .asoundrc (server side)
  What is missing:
  .A way to terminate leftover processes when we're done with playing
  Highly suggested:
  .remove "&>/dev/null" occurrences from the script if you run into problems
  .Setup ssh key authentication
  .Avoid sound skip by running ffmpeg with realtime priority (schedtool -n -19 -F -p 10 -e ffmpeg...)
  Side notes:
  .This thing doesn't work very well with virtualized environments, virtualbox client on the same server machine performs poorly, think that a real n280 netbook over a real 10Mbps link is smoother.
  .Audio latency is about 300ms (i know it is not THAT low, but acceptable)
  example code for a 10Mbit network which take about 600KBps at 1024x600
  vglrun -np 2 -c jpeg -q 40 -samp 1 -fps 20 ./aquaria
  -np 2 = use 2 threads to encode frames
  -q 40 = jpeg quality=40
  -samp 1 = Chrominance subsampling factor
  -fps 20 = limit the framerate to 20fps
  Last edited by kokoko3k (2012-01-24 14:11:44)

  Hi kokoko3k thanks for the script. I had some troubles to start with, but hacked around and got it going.
  I am using AMD64 Ubuntu based distributions for both client and server.
  Anyways I thought I would post the (slightly) modified script in case it helps others out there.
  #!/bin/bash
  #Prereqs:
  #Server: virtualgl,ffmpeg,socat,sshd,libavcodec-extra-53
  #Client: virtualgl,mplayer,ssh,socat
  #Server: in /etc/ssh/sshd_config:
  #"AcceptEnv ALSA_CARD"
  #Server: add to /etc/sudoers file:
  #<user> ALL=(ALL) NOPASSWD: /sbin/modprobe
  user=<user>
  server=<Server Hostname>
  sshport=22
  ServerSetup="\
  killall socat ffmpeg ; sleep 1 ; killall -9 socat ffmpeg; \
  sudo modprobe snd-aloop; \
  socat UDP4-LISTEN:6000,fork,reuseaddr TCP:127.0.0.1:5000 &>/dev/null & \
  ffmpeg -f alsa -ac 2 -i hw:Loopback,1,0 -acodec libmp3lame -b 128k -f rtp rtp://127.0.0.1:6000 &>/dev/null\
  echo "Executing ServerSetup on " $server:$sshport ...
  ssh -f $user@$server -oPort=$sshport "$(echo $ServerSetup)"
  killall vglclient mplayer socat ; sleep 1 ; killall -9 vglclient mplayer socat
  echo "o=- 0 0 IN IP4 127.0.0.1" >/tmp/stream.sdp
  echo "c=IN IP4 127.0.0.1" >>/tmp/stream.sdp
  echo "m=audio 6000 RTP/AVP 14" >>/tmp/stream.sdp
  socat TCP4-LISTEN:5000,fork,reuseaddr UDP4:localhost:6000 &>/dev/null &
  sh -c "sleep 60 ; mplayer /tmp/stream.sdp -really-quiet </dev/null" &
  ALSA_CARD=Loopback /opt/VirtualGL/bin/vglconnect -x -s $user@$server -o SendEnv=ALSA_CARD -p $sshport -R localhost:5000:localhost:5000
  Last edited by Ken (2012-02-27 18:18:33)

• IPsec ASA5510 to ASA5505 with NAT

  Hello All,
  Im struggling to work out the best way to setup an ipsec and be able to NAT,
  I have a requirement for a customer who needs connects to my network over IPsec.
  He needs to connect to 2 differant servers which sit behind respective firewalls.
  in order to successfully connect to either he needs to source from a specific IP and target specific IPs/ports.
  Please see the topology attached. How can the customer setup NAT on his network so that he can hit my ASA5510 for the differant targets?
  Please provide some sample config if possible..
  Many thanks in advance..

  Hello All,
  Im struggling to work out the best way to setup an ipsec and be able to NAT,
  I have a requirement for a customer who needs connects to my network over IPsec.
  He needs to connect to 2 differant servers which sit behind respective firewalls.
  in order to successfully connect to either he needs to source from a specific IP and target specific IPs/ports.
  Please see the topology attached. How can the customer setup NAT on his network so that he can hit my ASA5510 for the differant targets?
  Please provide some sample config if possible..
  Many thanks in advance..

• AAA Accounting through a NAT device

  Good Day to you all,
  I am trying to configure aaa accounting through a natted device to a ACS 4.0 server. the information is logged ok but is logged as the device that is performing the natting. is there a way to configure aaa accounting to show the acctual device being updated in the ACS logs

  Assuming its RADIUS...
  Is it possible to get the originating device to include the NAS-IP-Address or NAS-Identifier attributes in the accounting records?
  This will be the actual device values rather than the peer address of the NAT device.

• TACACS+ requests through NAT device

  Hi everyone.
  I want to Authenticate and Authorize VTY-Access to Cisco devices using TACACS+. The config is pritty "straight forwasrd", BUT:
  I want to forward the TACACS+ Request through a NAT device and on to the "Internet" where the TACAS+ server is located. (ACS 3.3)
  2 Questions in this situation appeares:
  - Does TACACS+ protocol support request through NAT devices?
  - Is it possible to connect different devices begind the NAT device, using only one Outside NAT IP address? (Using the same secret key for all aaa-clients and on the ACS)
  As you see, i want to connect "as many aaa-clients as possible" to a TACACS+ Server with "as easy = less configuration changes, as possible" .
  I know VPN's are options as well, but it is not prefered in my design.
  Best Regards
  Jarle Steffensen

  As far as I know what you propose will work. You are the only one who knows what the local environment is and what the real requirements are and you must decide whether it is a good idea to do it this way.
  I do not see why passing the TACACS request through a NAT device would impact it, so long as the NAT was static or an overload (PAT). The request needs to get to the TACACS server with a consistent source address. If it was a dynamic NAT and one request came with one source address and the next request came with a different source address, it would only work if the TACACS server was configured with ALL of the possible translated addresses. (and part of your requirement is to simplify the config not to complicate it).
  If there are multiple devices sending requests to TACACS through the NAT device, it would look to the TACACS server as if there were a single remote device with lots of users. If you do not care that the TACACS server can not differentiate the remote devices then your solution should work. Do you want to be able to look at the TACACS reports and see that this successful (or that unsuccessful) attempt came from this machine or that machine? If you do not care then your solution should work. If you do care to differentiate the remote activity then you need a solution like VPN which maintains the individuality of the remote devices.
  HTH
  Rick

• "Current Time" problem behind a NAT Configured DSL Modem

  I have a WRT54GS wireless router behind a NAT configured Alcatel Speedtouch Pro DSL modem.  I have noticed that the "Current Time:" is perpetually "Not Available".   I am speculating that it is because the NAT blocks the syncrhonization, but I'm not absolutely sure.  Can anyone confirm that this indeed could be the problem?
  If this is the case, is it possible to configure a NAT router to pass this signal?
  I would like to have the benefits of NAT, but I would also like to utilize the WRT54GS's policy feature to limit my kid's internet activity after hours.
  Thanks in advance!

  Alcatel makes a lot of SpeedTouch modems.  I cannot tell which one you have.  I assume it must be a "modem-router" rather than a true modem.
  What "Intenet connection type" are you using in the WRT54GS?  I assume it is probably DHCP or static.  Disconnect the WRT54GS and the Speedtough. Set the "Internet connection type" on the WRT54GS to "static", then set the (WAN) "Internet IP address" to an address that the SpeedTouch will see as a fixed LAN IP address, and set the "Default Gateway" to the LAN IP address of the SpeedTouch, and set the "Subnet Mask" to 255.255.255.0 , and set the "DNS server address" to your true Internet DNS server address  (you should be able to find this info in the SpeedTouch).  
  Hope this helps.
  Please let me know whether or not this worked.
  If you need more help, please state the exact model number of your modem (not the WRT54GS?

• Configure OD master/replica behind a NAT

  I have 4 servers 2 of them in public IP (the master is one of them) and the other in the public IP sync ok, but the two others that are behind a NAT in a DMZ with a PUBLIC-IP to private-IP configured, when they are promoting to replicas, the process runs until the end but suddenly the replica refuses to become a replica and return to the previous state, looking into the master logs, it looks like the replica send their true IP (192.168.1.4) to the master and not the IP that it has so I believe that this is part of the problem, I have a well-know DNS working in the master, but not on the replicas, and they point to the master as their DNS.
  Any ideas ?

  Hi
  Promote the Replica to OD Master. Demote the old Master to Standalone and then Promote to Replica. For OD Master & Replica relationships to be successful they must all be the same OS version:
  http://manuals.info.apple.com/enUS/Open_Directory_Admin_v10.5_3rdEd.pdf
  Page 57 onwards.
  Tony

• PIX L2L VPN behind NAT device

  I need to know if it is posible to establish a L-2-L VPN if the termination device (PIX 7.x) is behind a router with nat... All the traffic to the public IP is forwarded by the router to the PIX.
  the schema is like this:
  LAN -> FW -> Internet -> Router (NAT) -> FW (PIX) -> LAN
  (see the attached file)
  regards
  mariano

  Chris
  We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?
  If so, yes absolutely you can do this as i have done it many times in production environments.
  No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.
  Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.
  Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.
  Jon